RHSA-2015:2551 - Security Advisory

Synopsis

Type/Severity

Security Advisory: Moderate

Topic

Updated cfme packages that fix a security issue, several bugs, and add various enhancements are now available for Red Hat CloudForms 4.0.

Red Hat Product Security has rated this update as having Moderate Security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtualenvironments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

A privilege escalation flaw was discovered in CloudForms, where in certain situations, CloudForms could read encrypted data from the database and then write decrypted data back into the database. If the database was then exported or log files generated, a local attacker might be able to gain access to sensitive information. (CVE-2015-7502)

This update also fixes several bugs. Documentation for these changes is available in the Release Notes linked to in the References section.

All CFME users are advised to upgrade to these updated packages, whichcorrect these issues and add these enhancements.

Solution

Before applying this update, make sure all previously released erratarelevant to your system have been applied.

BZ - 1258985 - when a smartstate worker times out and is killed, any child processes (eg,vixdisklibserver.rb processes) are not killed with their parents leaving them running with PID 1 as the adopted parent process